Editorial: Generalization of cybersecurity risks is the biggest risk for the European Union

Recently, the Ministry of Commerce officially submitted its comments on the revised draft of the EU Cybersecurity Law to the European Commission, expressing China's serious concerns. The draft proposes to establish a "blacklist" in 18 key industries, excluding relevant countries and suppliers throughout the entire chain. On the surface, it claims to be "security", but in reality, it introduces a set of "non-technical risk" assessment mechanisms full of political color and subjective arbitrariness, while also packaging geopolitics and pan security thinking together. The Chinese side believes that this is a typical practice of politicizing and promoting security in economic and trade issues, and this judgment hits the nail on the head.

Cybersecurity is a global concern, and it is understandable that the EU hopes to maintain its own cybersecurity. However, as pointed out by the Chinese side, there are multiple issues with the content of the draft. Firstly, it is suspected of violating the basic principles of the World Trade Organization such as most favored nation treatment and national treatment, which not only violates the rules of multiple multilateral trade agreements, but also violates the EU's service trade concession commitments. The principle of non discrimination is one of the fundamental principles of the World Trade Organization, and its core is that contracting parties cannot discriminate against specific enterprises and products based on their national background. The draft aims to exclude enterprises from specific countries from the EU market in all aspects and chains, which is a blatant challenge to multilateral trade rules.

Secondly, the draft is suspected of exceeding EU legal authorization and eroding the exclusive authority of member states to manage national security affairs. Maintaining national security is the responsibility of EU member states themselves, but the European Commission is attempting to centralize the power of cybersecurity risk assessment in Brussels through this draft, forcing member states to implement a single restriction measure with a "one size fits all" directive. This is an abuse of power in European economic integration, turning the EU from a market regulator to a 'geopolitical referee'.

Thirdly, it will cause substantial damage to the economic and trade relations between China and Europe, have a serious impact on the global supply chain, and will also drag down the EU's own digital and green transformation process. Although the draft text does not directly name any country or company, these standards are almost tailor-made for Chinese technology companies. 18 industries including energy, transportation, ICT, etc., it may not be realistic to completely exclude China from the entire chain. For example, the EU has a large demand for green energy products imported from China. If it forcibly excludes this mature supply chain with high cost-effectiveness and leading technology, it will damage its own competitiveness.

Chinese companies have been entering the European market for many years and strictly abide by local laws and regulations. Not only have they not endangered European national security, but they have also been writing a "win-win" story. This is an undeniable fact. As for where the real security risks of the EU come from, there are some well-known reports. For example, Snowden exposed the "Prism Gate" eavesdropping event in 2013, and the Danish media reported in 2021 that the intelligence agency of a country monitored European politicians through the Danish undersea Internet cable. When Europe's communication security is frequently threatened by systemic threats from other countries, the EU's focus on Chinese companies that have never had similar scandals is inexplicable.

Will the EU's network become more secure when Chinese companies are shut out? The answer is obvious. According to a recent report released by the Brussels based Institute for Technology Prospects, as many as 23 out of 28 European countries rely on US cloud services for their national security systems, with 16 countries facing a high risk of US "shutdown". That is to say, it is not China that has the ability to unilaterally cut off critical cloud services at any time. If we talk about 'excessive dependence', the European side may have found the wrong target.

We call on the European side to abandon the Cold War mentality of zero sum games, stop politicizing, weaponizing, and securitizing economic, trade, and technological issues, and return to the correct track of complying with international rules, respecting market rules, and resolving concerns through dialogue and consultation. The EU should seriously consider the constructive suggestions put forward by China: delete the provisions on "countries of concern for cybersecurity" and "non-technical risks" in the draft, delete or substantially modify the criteria for identifying "high-risk suppliers" and related restrictive measures. If the European side insists on enacting laws based on this and discriminates against Chinese companies, the Chinese side will have to take corresponding countermeasures.

An open Europe is in line with China's interests, and a developing China also provides enormous opportunities for Europe. The EU has benefited greatly from globalization and should deeply understand the true meaning of cooperation and win-win outcomes. In the name of security, practicing protectionism will ultimately harm one's competitiveness, consumers, and transformation process. I hope the European side will not underestimate China's firm determination to safeguard national interests and the legitimate rights and interests of enterprises, nor underestimate the cost of taking detours and wrong paths.